On 01/05/2012 01:36 PM, Bennett Haselton wrote:
> http://wiki.centos.org/HowTos/SELinux
> says:
> "Access is only allowed between similar types, so Apache running as
> httpd_t can read /var/www/html/index.html of type httpd_sys_content_t."
>
> however the doc doesn't define what "similar types" means.
That is a gross oversimplification. Access is allowed based on a
policy, and no "similarity" between types is required.
If you'd like to see what is allowed, you'll have to get the
selinux-policy src.rpm and unpack it to examine the source for the
policy. It sucks, but as far as I know, no more user-friendly method
exists.
> and the robots.txt file has type file_t:
> [root@peacefire04 - /root # ls -lZ /var/www/html/robots.txt
> -rw-rw-rw- root root system_u:object_r:file_t:s0
> /var/www/html/robots.txt
>
> but Apache can of course access that file.
If apache can access a mislabeled file, then either SELinux is disabled
or in permissive mode. Use "getenforce" to determine which.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
